Is it possible to use http 1.1 digest access authentication instead of basic access authentication when restricting access to a website with nginx?
I mean this in a similar fashion as on the nginx guide.
You can use the ngx_http_auth_digest module.
That module is not standard yet so you'd have to install it.
Related
I have an internal REST API (running as a Windows service on a specific port number) that needs to be setup for external access. It only supports/requires NTLM (Windows) authentication and doesn't accept another authentication method. However, the client only supports Basic authentication.
Is there a way to set-up a (Windows-based) reverse proxy server, that is able to accept "Basic authenticated" requests and can pass them through using NTLM authentication instead? So, basically what I'm looking for, is a way to change the authentication method from Basic (client) to NTLM (server).
A simple IIS url rewrite won't solve this matter, of course. I thought I had found a solution here, however, I guess this will only work if both client and server authenticate via NTLM (and thus only acts as a "passthrough" solution), which is not what I'm looking for.
Does anyone know a way of solving this?
I am new to Nginx, so please bear with me if my question is obvious.
I am looking for ways to authenticate users to the Nginx server. From my research I've understood there are two primary options:
End-user sends a request that contains the private key (in the header for example) to Nginx, Ngnix sends the authentication to auth server and the Ngnix gets an answer if the user authenticated or not.
The second option is, Nginx plus (A service that costs money), and the Nginx handles the authentication process - If someone knows an open-source version of this option it would be the best.
I would really appreciate the help, thank you all!
The old good Basic authentication still exists, among with the ngx_http_auth_basic_module. Unfortunately the only algorithm that is implemented by nginx itself is the old and weak apache MD5, however using glibc based host systems you have some other options. You can find out more details here.
You can authenticate your users using client-side certificates. There are many articles all over the internet; here is the Client-Side Certificate Authentication with Nginx from the first search results page by google.
You can use the js_content directive from njs module as the auth location content handler (instead of proxying auth request to some backend app). Or you can do both things, you may find the Validating OAuth 2.0 Access Tokens with NGINX and NGINX Plus article to be very interesting.
You can implement almost every authentication mechanism you can ever imagine using the famous lua-nginx-module. Some useful links (again, from the very first page of google search results) are
Method of using Lua to write authentication module of nginx server
NGINX Lua OAuth Proxy Plugin
Nginx Lua script redis based for Basic user authentication
Although this one related only to Nginx Plus, to made the answer complete I had to mention ngx_http_auth_jwt_module and a few official articles from F5:
Setting up JWT Authentication
Authenticating API Clients with JWT and NGINX Plus
If I restrict access to Solr with both Apache password protection and by restricting access to the server's own IP, is there any additional security benefit in configuring my search app to send its queries over HTTPS?
I am using an IP Access Handler in jetty.xml to restrict access based on IP.
See the Caveats section for Basic Authentication:
"Credentials are sent in plain text by default. It’s recommended to use SSL for communication when Basic authentication is enabled, as described in the section Enabling SSL."
Thus, for a secure installation, SSL must be used if Basic authentication is the only way that Solr's admin UI is protected.
It is possible to make kerberos module for Apache server who is on windows? I understand that i need to make dll file from some source, but how?
Thank you.
Try http://modauthkerb.sourceforge.net/
Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization. The module also supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges, and does not require users to insert their passwords to the browser. In order to use the Negotiate method you need a browser supporting it (currently standard IE6.0 or Mozilla with the negotiateauth extension).
Is there an apache authentication module out there, that can blindly trust a header?
For instance if a reverse proxy were to put the user "mboorshtein" into an http header is there a module that take that header and set the correct data structure in httpd? (2.2.x). I know its insecure but this is just for a prototype, before I go and implement a custom authentication provider.
You can use probably use Apache anonymous auth. It doesn't help you build a new module, though. And the header must be the same as what basic auth uses (i.e. Authorization). For this to be secure, you need to make absolutely sure the server won't accept requests from any other host than the reverse proxy.
http://httpd.apache.org/docs/2.2/mod/mod_authn_anon.html